Anyone can upload a Homebrew formula to Github that installs a malicious binary via brew.
Debian, for example, has trusted build systems that compile packages for their package repositories, and some packages already have reproducible builds[1].
Package repositories on Linux tend to provide the sources and binaries needed to install software. Homebrew just supplies formulas on GitHub, which only contain instructions on how to fetch and install externally hosted binaries, or instructions on how to fetch and install via externally hosted source code.
Homebrew has build servers that compile pre-built binaries.[1] Most of the common software that people install with it (not considering Casks) comes in this form.
Itβs not the case that anyone can upload a malicious formula, either. They do review requests to update formulas.
Is the Homebrew github repo not a package repository?